From bcac4db4e66ad2306ab113a794a416328ee8003f Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:28:28 +0200 Subject: [PATCH 1/9] workflow test --- .github/workflows/release.yml | 170 ++++++++++++++++++---------------- 1 file changed, 92 insertions(+), 78 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69770ab..34511a0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,42 +1,43 @@ name: Make a new release - on: push: - tags: - - v*.*.* + branches: + - apt_repository + # tags: + # - v*.*.* concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: - build-docker-release: - # Ignore tags with -, like v1.0.0-alpha - # This job will build the docker container with the "latest" tag which - # is a tag used in production, thus it should only be run for full releases. - if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') - name: Build Release Docker image - uses: ./.github/workflows/build-docker.yml - with: - tags: | - type=raw,value=latest - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=sha - - build-docker-prerelease: - # Only build tags with -, like v1.0.0-alpha - if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') - name: Build Pre-release Docker image - uses: ./.github/workflows/build-docker.yml - with: - tags: | - type=raw,value=pre-release - type=semver,pattern={{version}} - type=sha - # Explicitly disable latest tag. It will be added otherwise. - flavor: | - latest=false + # build-docker-release: + # # Ignore tags with -, like v1.0.0-alpha + # # This job will build the docker container with the "latest" tag which + # # is a tag used in production, thus it should only be run for full releases. + # if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') + # name: Build Release Docker image + # uses: ./.github/workflows/build-docker.yml + # with: + # tags: | + # type=raw,value=latest + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=sha + + # build-docker-prerelease: + # # Only build tags with -, like v1.0.0-alpha + # if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') + # name: Build Pre-release Docker image + # uses: ./.github/workflows/build-docker.yml + # with: + # tags: | + # type=raw,value=pre-release + # type=semver,pattern={{version}} + # type=sha + # # Explicitly disable latest tag. It will be added otherwise. + # flavor: | + # latest=false create-release: name: create-release @@ -47,16 +48,16 @@ jobs: - name: Create GitHub release id: release uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') + # if: startsWith(github.ref, 'refs/tags/') with: draft: true generate_release_notes: true - create-sbom: - needs: [create-release, build-docker-release] - uses: ./.github/workflows/sbom.yml - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} + # create-sbom: + # needs: [create-release, build-docker-release] + # uses: ./.github/workflows/sbom.yml + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} build-binaries: needs: [create-release] @@ -67,27 +68,32 @@ jobs: strategy: fail-fast: false matrix: - build: [linux, linux-arm64, freebsd] + build: [linux] #, linux-arm64, freebsd] include: - build: linux arch: amd64 os: Linux target: x86_64-unknown-linux-gnu - - build: linux-arm64 - arch: arm64 - os: Linux - target: aarch64-unknown-linux-gnu - - build: freebsd - arch: amd64 - os: Linux - target: x86_64-unknown-freebsd + # - build: linux-arm64 + # arch: arm64 + # os: Linux + # target: aarch64-unknown-linux-gnu + # - build: freebsd + # arch: amd64 + # os: Linux + # target: x86_64-unknown-freebsd steps: # Store the version, stripping any v-prefix + # - name: Write release version + # run: | + # VERSION=${GITHUB_REF_NAME#v} + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Write release version run: | VERSION=${GITHUB_REF_NAME#v} echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "VERSION=1.5.1" >> $GITHUB_ENV - name: Checkout uses: actions/checkout@v4 @@ -177,41 +183,49 @@ jobs: asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb asset_content_type: application/octet-stream + - name: Upload DEB to apt repository + if: matrix.build == 'linux' + run: | + export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. + + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb + - name: Run `packer init` if: matrix.build == 'linux' && matrix.arch == 'amd64' id: init run: "packer init ./images/ami/proxy.pkr.hcl" - - name: Build AMI images for multiple regions - if: matrix.build == 'linux' && matrix.arch == 'amd64' - run: | - regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - for region in "${regions[@]}"; do - echo "Building AMI for region: $region" - echo "Running packer validate for $region..." - packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - echo "Building AMI image for $region..." - packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - done - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Build RPM package - if: matrix.build == 'linux' - uses: bpicode/github-action-fpm@master - with: - fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" - - - name: Upload RPM - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - asset_content_type: application/octet-stream + # - name: Build AMI images for multiple regions + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # run: | + # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + # for region in "${regions[@]}"; do + # echo "Building AMI for region: $region" + # echo "Running packer validate for $region..." + # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + # echo "Building AMI image for $region..." + # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + # done + # env: + # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # - name: Build RPM package + # if: matrix.build == 'linux' + # uses: bpicode/github-action-fpm@master + # with: + # fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" + + # - name: Upload RPM + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + # asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + # asset_content_type: application/octet-stream From b99defe1ca03bfefff33c865d685c4ff4c845906 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:35:52 +0200 Subject: [PATCH 2/9] edit secrets --- .github/workflows/release.yml | 42 ++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 34511a0..9e3090b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -189,7 +189,7 @@ jobs: export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb - name: Run `packer init` @@ -229,3 +229,43 @@ jobs: # asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm # asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm # asset_content_type: application/octet-stream + + apt-sign: + needs: + - build-binaries + runs-on: + - self-hosted + - Linux + - X64 + strategy: + fail-fast: false + steps: + - name: Sign APT repository on trixie + run: | + export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }} + export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }} + export AWS_REGION=eu-north-1 + sudo apt update -y + sudo apt install -y awscli curl jq + + #For trixie + aws s3 cp s3://apt.defguard.net/dists/trixie/Release . + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read + + #For bookworm + aws s3 cp s3://apt.defguard.net/dists/bookworm/Release . + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + aws s3 cp Release.gpg s3://apt.defguard.net/dists/bookworm/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/bookworm/ --acl public-read From 5bd366f4cc81d79b62f3451cc4219bb08246e73a Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:42:16 +0200 Subject: [PATCH 3/9] remove bookworm signing --- .github/workflows/release.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e3090b..b709199 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -257,15 +257,4 @@ jobs: cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read - aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read - - #For bookworm - aws s3 cp s3://apt.defguard.net/dists/bookworm/Release . - curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ - -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ - -F "file=@Release" \ - -o response.json - cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg - cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease - aws s3 cp Release.gpg s3://apt.defguard.net/dists/bookworm/ --acl public-read - aws s3 cp InRelease s3://apt.defguard.net/dists/bookworm/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read \ No newline at end of file From dd9e28ac7699e76f7588605f35ddfe3d1bbd2d6b Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:56:45 +0200 Subject: [PATCH 4/9] ready to release --- .github/workflows/release.yml | 159 ++++++++++++++++------------------ 1 file changed, 76 insertions(+), 83 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b709199..7a41f5d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,43 +1,41 @@ name: Make a new release on: push: - branches: - - apt_repository - # tags: - # - v*.*.* + tags: + - v*.*.* concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: - # build-docker-release: - # # Ignore tags with -, like v1.0.0-alpha - # # This job will build the docker container with the "latest" tag which - # # is a tag used in production, thus it should only be run for full releases. - # if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') - # name: Build Release Docker image - # uses: ./.github/workflows/build-docker.yml - # with: - # tags: | - # type=raw,value=latest - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=sha - - # build-docker-prerelease: - # # Only build tags with -, like v1.0.0-alpha - # if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') - # name: Build Pre-release Docker image - # uses: ./.github/workflows/build-docker.yml - # with: - # tags: | - # type=raw,value=pre-release - # type=semver,pattern={{version}} - # type=sha - # # Explicitly disable latest tag. It will be added otherwise. - # flavor: | - # latest=false + build-docker-release: + # Ignore tags with -, like v1.0.0-alpha + # This job will build the docker container with the "latest" tag which + # is a tag used in production, thus it should only be run for full releases. + if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') + name: Build Release Docker image + uses: ./.github/workflows/build-docker.yml + with: + tags: | + type=raw,value=latest + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha + + build-docker-prerelease: + # Only build tags with -, like v1.0.0-alpha + if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') + name: Build Pre-release Docker image + uses: ./.github/workflows/build-docker.yml + with: + tags: | + type=raw,value=pre-release + type=semver,pattern={{version}} + type=sha + # Explicitly disable latest tag. It will be added otherwise. + flavor: | + latest=false create-release: name: create-release @@ -48,16 +46,16 @@ jobs: - name: Create GitHub release id: release uses: softprops/action-gh-release@v1 - # if: startsWith(github.ref, 'refs/tags/') + if: startsWith(github.ref, 'refs/tags/') with: draft: true generate_release_notes: true - # create-sbom: - # needs: [create-release, build-docker-release] - # uses: ./.github/workflows/sbom.yml - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} + create-sbom: + needs: [create-release, build-docker-release] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} build-binaries: needs: [create-release] @@ -68,32 +66,27 @@ jobs: strategy: fail-fast: false matrix: - build: [linux] #, linux-arm64, freebsd] + build: [linux, linux-arm64, freebsd] include: - build: linux arch: amd64 os: Linux target: x86_64-unknown-linux-gnu - # - build: linux-arm64 - # arch: arm64 - # os: Linux - # target: aarch64-unknown-linux-gnu - # - build: freebsd - # arch: amd64 - # os: Linux - # target: x86_64-unknown-freebsd + - build: linux-arm64 + arch: arm64 + os: Linux + target: aarch64-unknown-linux-gnu + - build: freebsd + arch: amd64 + os: Linux + target: x86_64-unknown-freebsd steps: # Store the version, stripping any v-prefix - # - name: Write release version - # run: | - # VERSION=${GITHUB_REF_NAME#v} - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Write release version run: | VERSION=${GITHUB_REF_NAME#v} echo Version: $VERSION - echo "VERSION=1.5.1" >> $GITHUB_ENV + echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Checkout uses: actions/checkout@v4 @@ -183,6 +176,7 @@ jobs: asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb asset_content_type: application/octet-stream + - name: Upload DEB to apt repository if: matrix.build == 'linux' run: | @@ -191,44 +185,43 @@ jobs: deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb - - name: Run `packer init` if: matrix.build == 'linux' && matrix.arch == 'amd64' id: init run: "packer init ./images/ami/proxy.pkr.hcl" - # - name: Build AMI images for multiple regions - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # run: | - # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - # for region in "${regions[@]}"; do - # echo "Building AMI for region: $region" - # echo "Running packer validate for $region..." - # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - # echo "Building AMI image for $region..." - # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - # done - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + - name: Build AMI images for multiple regions + if: matrix.build == 'linux' && matrix.arch == 'amd64' + run: | + regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + for region in "${regions[@]}"; do + echo "Building AMI for region: $region" + echo "Running packer validate for $region..." + packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + echo "Building AMI image for $region..." + packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + done + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - # - name: Build RPM package - # if: matrix.build == 'linux' - # uses: bpicode/github-action-fpm@master - # with: - # fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" + - name: Build RPM package + if: matrix.build == 'linux' + uses: bpicode/github-action-fpm@master + with: + fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" - # - name: Upload RPM - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - # asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - # asset_content_type: application/octet-stream + - name: Upload RPM + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + asset_content_type: application/octet-stream apt-sign: needs: From 968b3b2357986f9a1466d0ae037fb31123bc696a Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 15:15:42 +0200 Subject: [PATCH 5/9] Added ruby to path --- .github/workflows/release.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7a41f5d..e65ab31 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -177,6 +177,13 @@ jobs: asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb asset_content_type: application/octet-stream + - name: Install ruby with deb-s3 + if: matrix.build == 'linux' + run: | + sudo apt-get install -y ruby + gem install deb-s3 + echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH + - name: Upload DEB to apt repository if: matrix.build == 'linux' run: | From 2912e46d67e57ca7803fc1a16c0f642a284a7893 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:38:16 +0200 Subject: [PATCH 6/9] for loop --- .github/workflows/release.yml | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e65ab31..2f65346 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -248,13 +248,17 @@ jobs: sudo apt update -y sudo apt install -y awscli curl jq - #For trixie - aws s3 cp s3://apt.defguard.net/dists/trixie/Release . - curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ - -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ - -F "file=@Release" \ - -o response.json - cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg - cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease - aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read - aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read \ No newline at end of file + for DIST in trixie; do + aws s3 cp s3://apt.defguard.net/dists/{$DIST}/Release . + + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + + aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read + done \ No newline at end of file From e2812bba217868ebe830487566309f4b0a3130ee Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:41:08 +0200 Subject: [PATCH 7/9] typo 2 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f65346..87eb0d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -249,7 +249,7 @@ jobs: sudo apt install -y awscli curl jq for DIST in trixie; do - aws s3 cp s3://apt.defguard.net/dists/{$DIST}/Release . + aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release . curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ From cb7121dcadcc86dcb8b522ccf86bd708f43709f5 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:43:12 +0200 Subject: [PATCH 8/9] remove export --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 87eb0d4..6adcb24 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -187,7 +187,6 @@ jobs: - name: Upload DEB to apt repository if: matrix.build == 'linux' run: | - export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb From 91360fc37fe6ac372cec3e4813ca8e13873360b7 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:43:53 +0200 Subject: [PATCH 9/9] add eol --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6adcb24..b398440 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -260,4 +260,4 @@ jobs: aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read - done \ No newline at end of file + done